The documentation for this feature presents a bit of a problem, since
most of the functionality of librewrite is documented in
slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever
--enable-rewrite is used) then all of librewrite's capabilities really
should be in the main slapd documentation.

Possibly big enough to move to a slapd.rewrite(5) page.

I don't want to add too much burden to this thread, but librewrite is
showing the signs of age. It needs some reworking. I think Howard
started working to (or at least though about) adding some callback
capabilities. Things like the LDAP map should definitely be reworked
that way, so that slapd internals relying on that feature can use direct
internal searches rather than resorting to a real LDAP operation. One
thing that would improve and streamline much of the code is the use of
bervals for the whole API. Unless that library got in use outside of
OpenLDAP's suite (I personally used it in a couple of projects, but I
can easily rework them), the current API could be preserved replacing
char* with BerValue*; otherwise a rewrite_bv_*() API could be designed,
and the current one could be wrapped around it.